The Risks and Realities of “Security Fatigue”

Back in the day—just ten years ago—a cyber-related incident was a big deal. When a major brand was breached on the internet, people freaked out. It was pretty rare, but when it happened—it was something to remember. Today, cyber risk warnings feel almost constant. When we aren’t hearing about a big-time breach or celebrity vulnerability, we’re being bombarded with security prognostications of certain doom and gloom. It can be downright exhausting.

It’s not that the warnings are misplaced; it’s just that people can’t take the onslaught, and they eventually tune it out. It’s our nature, and it’s known as “security fatigue.” In fact, a 2016 study by the National Institute of Standards and Technology (NIST) found that the majority of typical computer users who experience security fatigue often engage in risky computing behavior at work and in their personal lives, mostly because they are tired of caring so much.

Case In Point: Cookie Fatigue, Courtesy of GDPR

Consider the recent explosion of cookie popups since the GDPR became a thing. The intent is clear—to make people more aware of what they are doing. But is it effective? Doubtful. Ever since May 25th, just about every website now serves a cookie popup. As relatively tech-savvy people, we know what cookies are—and generally feel OK with websites using them. Those who aren’t, simply change their browser setting to never use cookies. These popups may check the compliance box, but they are still a massive annoyance that people tend to dismiss as quickly as possible. Fortunately, most sites make this easy because “accept” is the prominent option.

But what about those folks who don’t know anything about cookies? Maybe they select the “manage cookies” link the first couple of times. But after that? I’m betting 100% of people just click through. Despite the good intention of trying to help people take some level of data privacy into their own hands, the net result is it creates too many interruptions, so people simply ignore it and try to move past the cookie conversation as quickly as they can—after all, they have stuff to do. Just a few months have passed, but we’ve all got cookie fatigue. In the grand scheme of things, cookies aren’t at the top of the security risk list, but anything that contributes to security fatigue can lead to serious, long-term security consequences.

Security Fatigue Isn’t Just An End-user Problem

Security fatigue happens at the organizational level, too. Tools generate so many alerts. There are so many different international, federal, and state data privacy regulations. Vendors issue so many patches and updates. Users have so many devices. There’s so much data being created, transferred, and stored. It’s so … much. And with the global shortage of cybersecurity talent, infosec teams are running lean. It’s no wonder burnout is a huge industrywide problem.

And it’s not just in the security trenches. Right now, corporate boards are facing increased cybersecurity scrutiny and liability exposure, especially in public companies. This can be a good thing. It gives non-technical executive leaders an incentive to learn at least the basics of cyber risk. And it motivates companies to invest in securing the company’s data and systems, and in protecting employees, customers, and partners. But when the newness and scariness of the board-level security spotlight starts to wear off, security fatigue will set in here, too.

What Kind of Problem Is It—and What’s the Solution?

Is it about technology? Training? Regulation? None of these approaches alone will address the issue. Some cyberattacks are purely technology-based—they exploit system vulnerabilities—and we need to close those holes. But many attacks exploit human vulnerabilities, and that’s where it gets tough. The problem with both training and regulations is they tend to be reactive. That might have been fine in the “early days” when hacking was more of an individual sport (and long before security fatigue). But today, cyber criminals are smart, sophisticated, and highly organized. They are always looking for new angles or approaches to infiltrate systems. And as long as humans are fallible, there will be a limitless number of potential attack vectors to exploit.

We need to teach people how to be smart about security and build better habits. We need to do more than just spot the tricks used in the past, which simply move the goalposts and contribute to the noise resulting in security fatigue. If you tell people not to respond to emails from Nigerian princes, they may still fall for a phishing email that looks like it came from their bank. (There’s got to be a clever “give a man a phish/teach a man to phish” joke in here somewhere…”)

And then, from a technology perspective, we need to make it easy for users to make smart decisions. The NIST report concluded that there are three ways to alleviate security fatigue:

Limit the number of security decisions users need to make.

Make it simple for users to choose the right security action.

Design for consistent decision-making whenever possible.

As for regulations, if we do a good job of making good cybersecurity habits as natural as locking your house every time you leave, and supporting that with systems that make it easy to stay safe, there will be far less need to attempt to legislate desired behavior (“attempt” being the operative word).

It’s tempting to compare security fatigue to Chicken Little. Chicken Little was mistaken in his belief that disaster was imminent, but in our world, the sky really can fall (metaphorically speaking) and cause a lot of damage. Which is why we need to help users be smart about security, without the fatigue.

Spent her 20+ year career advising and working for organizations ranging from small startups to Fortune 1000 enterprises, with both in-house and agency experience. A seasoned writer with frequent content contributions to various media platforms.

Post a comment

Save my name, email, and website in this browser for the next time I comment.

Stay Connected

134Followers

245Fans

303Followers

3Followers

Get more stuff

like this in your inbox

We respect your privacy and take protecting it seriously

An Introduction To Carlos Solari

Writing exclusively for The Threat Report, Carlos Solari brings significant wisdom and experience to the security conversation, aligning what he's learned through the years, both personally and professionally, with the current challenges we face in the modern world of technology. From his childhood in Columbia to his days at the FBI to his role as White House CIO, Carlos will share his unique knowledge of key areas like collaboration, communication, investigation, forensics, attack, defense, rule of law, accountability, and the ongoing relationship between science and technology—including the reality of what happens when these things break down. Every Sunday, his Lessons will help us visualize the evolution of cybersecurity and its inherent need for better design and application—lessons we must come to understand if we hope to survive in the digital age.
Click here to read Articles

The materials on this website may not be modified, distributed, posted or transmitted without the prior written consent of Hacker Combat LLC. 1997-2018 All rights reserved.

The information contained in this website is provided for reference purposes only and not for investment or for any other purposes. For complete information please contact us directly. Please review the Terms of Use before using this site. Your use of the site indicates your agreement to be bound by the Terms of Use.